Opaque Access Token and Authorization Code Fixed Length Announcement

Hello everyone, we wanted to bring visibility to the fact that beginning April 12, 2022, access token and authorization codes will be issued with varying lengths to support OAuth specification RFC6749 to avoid clients making assumptions about authorization code and access token values.

Currently, the access token and authorization code sizes are fixed. The current size of the authorization code is shorter than what some security practitioners recommend. Through this change, Auth0 provides a stronger code and token while also improving the performance of Auth0 systems.

Please be sure to check for deprecation notices within your tenant logs for the presence of requests for fixed length access tokens and authorization codes using the log query type:depnote AND description:Authorization

The Auth0 Dashboard advanced settings, there is a toggle that allows customers to disable the fixed size of these credentials to try it out. This setting can be enabled and disabled at will until April 12, 2022, at which point it will be removed and all authorization code and access token lengths will be variable.

Customers with systems configured to rely on specific-sized authorization code and access token lengths must change from fixed-sized to variable-sized configurations before April 12, 2022.

Please let us know if you have any questions!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.